Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.
History

Wed, 18 Dec 2024 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Cacti
Cacti cacti
Fedoraproject
Fedoraproject fedora
CPEs cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Vendors & Products Cacti
Cacti cacti
Fedoraproject
Fedoraproject fedora

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-13T14:24:32.871Z

Updated: 2024-08-02T01:17:58.331Z

Reserved: 2024-03-21T15:12:08.998Z

Link: CVE-2024-29894

cve-icon Vulnrichment

Updated: 2024-08-02T01:17:58.331Z

cve-icon NVD

Status : Analyzed

Published: 2024-05-14T15:17:14.577

Modified: 2024-12-18T21:10:38.887

Link: CVE-2024-29894

cve-icon Redhat

No data.